GDPR Explained

With only 2 weeks to go before GDPR goes into effect, there are still a number of individuals wondering what the fuss is about. This post explains GDPR in its simplest form.

I am sure most of us have received mails saying that their organization is GDPR compliant or is working towards it. What is it? Let us read on…

‘Data privacy’ has become a big issue in the age of data breaches and hacks. With the advent of social media, personal data is ubiquitous. Organizations require individuals to enter personal information such as name, date of birth, email addresses, pictures in order to login to their website. Online shopping also requires one to enter credit card numbers and there is a possibility that these numbers will be stored for future use. This data is stored on an organizations’s servers (for any amount of time) The data also moves from company to company with the individual not having any knowledge or control over it. An unknowing user (in the zest of sharing) might give consent for his personal information to be “sold” to third parties or other companies whom the primary company is doing business with.

With so much of personal data strewn around an organization, it is but obvious, that this private data of citizens will be harvested by businesses. The user has no idea who has their information and what is being done about it. To add to all this misery, each day comes with news about about one’s personal information being compromised. Now, the user is even more clueless about his data. Who has illegally accessed his data? What is being done about it? Are invisible miscreants following him online and offline? All this will change once May 25th dawns in the European Union.

May 25th 2018:

So, what happens on May 25, 2018? This is the day that ‘GDPR’ comes into effect. What is GDPR? For the uninitiated, GDPR stands for ‘Global Data Protection Regulation’. This is the day that data protection becomes a reality for citizens of the European Union. GDPR gives citizens of the European Union more control over their data. Here are the salient features of the GDPR:

At the outset, the geographical reach of GDPR is laid out. There is no ambiguity in defining the scope of GDPR compliance. GDPR compliance applies to all organizations operating in the EU. It also applies to all companies processing data of EU citizens regardless of the company’s location. The terms of GDPR are now stated in an absolutely explicit way.

The concept of ‘processors’ and ‘controllers’ is now defined. Controllers are those organizations that deal with controlling who processes the personal data that they acquire. Processors are the organizations that deal with processing the controller organizations data. Controllers or ‘data controllers’ as they are called also have a set of responsibilities under GDPR. The ‘data controllers’ have to employ responsible ‘data processors’ or those processors that are GDPR compliant.

Huge penalties are imposed on organizations for not being GDPR complaint. Organizations can be fined up to 4% of global annual turnover or 20 million Euros (whichever is greater).

The amount of time that organizations can hold onto an individual’s personal data now has to be defined. This is the concept of ‘data retention‘. The user controls how long his data will be retained on an organization’s servers (maybe 14 months or 16 months). After the stated period, the data has to be permanently deleted.
As an example, these are the statements from the Google analytics website: “The Google Analytics Data Retention controls give you the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from Analytics’ servers.” This is the ‘right to be forgotten‘ which is a giant leap in improving data privacy.

Organizations have to spell terms and conditions regarding usage of user’s data in a simple and easy to understand manner. There is no room for complicated legal lingo under GDPR. ‘Transparency‘ is of acute importance under the new law. User consent can be gained only after the user understands all the terms and conditions.

If any breach occurs, wherein the user data is compromised, an organization is given 72 hours to intimate the same to the concerned individuals.

The individuals or the ‘data subjects’ have the right to know the application of their personal data. They have the right to know which part of their data is being used and the same can be obtained in an electronic format. This is the ‘right to access’ for ‘data subjects’.

Are organizations ready for GDPR?

With data privacy being completely overhauled under the new GDPR, organizations have to change the way they process and hold data. According to this report, only 11% of the organizations are completely ready for GDPR and 33% are mostly prepared for it. Will all the organizations be 100% ready? Only May 25th, 2018 will tell!